Chaos Computer Club hackers trick Apple’s TouchID security feature

If you have finger-smudged glass, a laser printer, and latex milk, you can beat it too.

Germany's Chaos Computing Club claims to have tricked Apple's new TouchID security feature this weekend. In a blog post on the breakthrough, the CCC writes that they bypassed the fingerprint-reader by simply starting with "the fingerprint of the phone user photographed from a glass surface."

The entire process is documented by hacker Starbug in the video above, and the club outlines it in a how-to. For this particular initiative, the CCC started by photographing a fingerprint with 2400 dpi. Next the image was inverted and laser printed at 1200 dpi. To create the fingerprint mask Starbug finally used, latex milk was poured into the pattern, eventually lifted, breathed on (for moisture), and pushed onto the sensor to unlock the phone. In this sense, it's hard to definitively state the hackers "broke" the TouchID precautions, because they did not circumvent the security measure without access tothe fingerprint. (TouchID could similarly be cleared with a GTA V-like strategy of knocking the phone user unconscious and pressing finger-to-sensor.) However, the CCC did successfully trick TouchID into working as advertised for an individual who wasn't the phone user.

The CCC, and Starbug in particular, are well-known critics of biometric security systems. Back in 2008, Starbug even cloned the fingerprint of a German politician who advocated for collecting citizens' unique physical characteristics as a means of preventing terrorism.

TouchID is a new addition to Apple's iPhone 5S, and Ars will have a full review of both the phone and feature this week. With TouchID, a sensor is embedded in the home button and can be used to unlock your iPhone instead of a traditional pin. However, you can't unlock the phone with just a fingerprint if the device hasn't been unlocked in 48 hours or has been reset. Both instances require the use of a traditional pin.

To quell some security concerns, Apple emphasized the fact that this fingerprint data will be encrypted and stored locally on a device and never uploaded to any cloud storage. Ars Security Editor Dan Goodin wrote extensively about potential pros and cons with the TouchID setup as we knew it, and he identified this specific vulnerability as the first red flag:

Unlike a password or encryption key, there's no practical way to keep fingerprints, iris patterns, and many other unique physical characteristics secret. Except for the most eccentric of recluses, this information leaks every time we take a train to work, eat at a restaurant, or go to a movie. Relying on a fingerprint as the sole means of authentication—or even as a second factor in authentication—raises the troubling question: what action do I take if someone manages to reverse engineer, appropriate, or otherwise clone a high-fidelity replica of my fingerprint, heartbeat, or iris?

CNET also noted that there's no official word on whether CCC's methods will qualify as a hack of the TouchID system. The distinction could be worth more than $16,000 dollars (plus a couple of whiskey bottles and an iPhone 5C) with the IsTouchIDhackedyet.com bounty program underway.

190 Reader Comments

But seriously: if someone is so desperate to get into your phone they might as well just look over your shoulder to get the password. I mean TouchID was not meant to prevent professional to get into your phone but to drive off you local thieves because it is a much easier and less annoying security measure to a lot of people.

I'm just surprised it was that easy. The problem with Apple is everything is a secret. Good for marketing, but it makes the customer a beta tester. A little less secrecy and a bit more QA is what Apple should do, especially with the big G nipping at their heels.

- be a respected entity in the field of IT security (google CCC if you do not know them)- fake a circumvention of an IT security feature which can be easily verified- get proven wrong because noone can verify what you claimed- enjoy a not insignificant decrease of your respectability and suffer a fair amount of ridicule- ???- profit

Yes, makes a lot of sense to me.

You might argue that the 5S they used *might* be faulty or that iOS has some bug there, but suggesting they might have faked it only shows a lack both of knowledge who the CCC is and of common sense.

- be a respected entity in the field of IT security (google CCC if you do not know them)- fake a circumvention of an IT security feature which can be easily verified- get proven wrong because noone can verify what you claimed- enjoy a not insignificant decrease of your respectability and suffer a fair amount of ridicule- ???- profit

Yes, makes a lot of sense to me.

You might argue that the 5S they used *might* be faulty or that iOS has some bug there, but suggesting they might have faked it only shows a lack both of knowledge who the CCC is and of common sense.

CCC isn't a unified organization like that. It's got like 5000+ members. They have however done a lot of fingerprint related stuff. Oh yeah and satellites.

It's not that nobody should question them. Question all you want. That's healthy. It's more likely in this case that they have nothing to gain from faking it to actually demonstrating the fault out of good faith. We'll all know in the next week anyway.

Honestly, who is surprised that the fingerprint scanner could be tricked?

No one has yet built a fingerprint scanner that could not be tricked. Why would Apple be the first to do this? It would involve a lot of inconvenience and slow the fingerprint scanning down to even try. Doing things like scanning blood flow patterns and measuring the pulse pattern are known ways to make it more secure - but it would also make it slower and error prone.

For Apple this is a convenience feature. For people who want a passcode, but could not be bothered to type it in. Make it fast and reasonably reliable and you have a great selling point.

The fact that Apple does not even support requiring both fingerprint and passcode should be a very clear indication that maximizing security has not been a design goal.

"Alright, we swipe the mark's phone while he's distracted by the eye candy–we'll have to make sure to snag it right after he's left a flawless fingerprint on an otherwise clean screen. Ethan, you'll courier it to Stone. Stone, be ready with the camera. Genvieve, you'll be on the 3D printer... we'll need to source latex milk. If we're good, we'll be able to get it done before the mark realizes his phone is gone and activates the lock on Find My Phone. If we're really good we'll be able to get the phone back to him while the music crescendos in the background."

I see comments here and on YouTube doubting that the video is actual proof, because it might be the wrong guy's finger. Given how easy it is to fake such videos, would anyone even accept any video as proof?

They have done the only thing that can prove such a claim, they provided the instructions on how to reproduce. Anyone who doubts or wants to convince themselves of the hack, just try it out. How about Ars doing a test?

For Apple this is a convenience feature. For people who want a passcode, but could not be bothered to type it in. Make it fast and reasonably reliable and you have a great selling point.

The fact that Apple does not even support requiring both fingerprint and passcode should be a very clear indication that maximizing security has not been a design goal.

That's exactly what it is. It's not intended to protect state secrets, it's to prevent your jealous partner from reading your texts or your kids from spending your money on in-game purchases - without having to type a passcode all the time.

I for one never expected it to be full proof. It will be interesting when someone can actually break TouchID using everyday office supplies and under a minute or two. If that happens then Apple will deserve lots of flack. Otherwise educating people on the inherent risk of biometrics is good.

Apple put this feature in the phone. They would have certainly known it could be hacked so easily. Now it's been hacked .. and Apple have lost control of the PR - which I see as a bad move by Apple. They should have divulged this method upfront and passed it off as not being suitable. To deny this is the "security through obscurity" argument, which is very poor form.

Is the finger-print scanner still worth it? I'd say yes, if you use a passcode to unlock, but all other activities can use the fingerprint, you've covered all bases (so far).

Be prepared for fanboys to insist that Apple planned this all along. Be prepared for haters to say that Apple have implemented a white elephant.

TD;DR?Bad PR for Apple.Still workable..

Hey, it is not like you can buy stuff using the finger print reader....oh wait!

The attack as described is pretty involved, but doable. Its good enough to ward off common thieves and such, but not determined and resourced adversaries. If that is what you want to protect your phone against, then touch id is insufficient (I'd be hard pressed to find anything on a non-specialist device that will protect against that). But for most people, this is probably more secure than a pin.

As always with security, you need to consider what and who you're protecting against.

Whine: if it isn't absolutely perfect, it's worthless and Apple is a big fat liar and can't innovate and their feet stink.

Reality: if that's what it takes to break TouchID, it's plenty secure enough to deter theft and for online commerce, which is all anybody cares about. There's no way an iPhone is worth the effort they put into that exploit and the credit card companies will love the extra level of security. They are currently getting robbed blind. As you know, the biggest threat with credit cards is from the waiter/salesperson/online vendor who takes your card & info. TouchID would directly address that problem and many others.

Apple put this feature in the phone. They would have certainly known it could be hacked so easily. Now it's been hacked .. and Apple have lost control of the PR - which I see as a bad move by Apple. They should have divulged this method upfront and passed it off as not being suitable. To deny this is the "security through obscurity" argument, which is very poor form.

Is the finger-print scanner still worth it? I'd say yes, if you use a passcode to unlock, but all other activities can use the fingerprint, you've covered all bases (so far).

Be prepared for fanboys to insist that Apple planned this all along. Be prepared for haters to say that Apple have implemented a white elephant.

TD;DR?Bad PR for Apple.Still workable..

I don't think your average user is going to care.

Contrary to the beliefs of narcissists your information is simply not valuable enough to where something like this will be worth doing.

Are you a whistleblower? A controversial journalist? Someone with a lot of skeletons in your closet? You may have something to worry about, but Joe Consumer is not going to have his fingerprints lifted just to see whats in his phone, nor is a cop going to haul you into court just to prove you were texting and driving.

Honestly, who is surprised that the fingerprint scanner could be tricked?[...]For Apple this is a convenience feature.

Well, on the Apple site, they call it 'highly secure.'

I'd say it is (at least with this attack - if an easier attack is found I wouldn't be sure) - instead of, say, a complex password that drives people to write it down, or a short pin that can easily be seen and memorised by looking over someone's shoulder.

I'm not saying this system is secure for everyone, just that it is good enough for most people - and crucially, is probably better for most people at securing a phone. Better for a tech or security savvy person? No way, but you'd already have known that before this attack was found.

I do not mean to insinuate that the touch sensor is at fault but there will never be a foolproof system and like the video shows this particular method there are tons of people out there trying to get around the sensor or to hack it. It simply means you will still need to be careful with your phone.

We need to keep in mind that someone with enough interest to see the contents of your phone and a willingness to try anything is all that is needed to defeat the phone's security measures. (Like forcing you to unlock it and give the pin at gunpoint for example or compelling you through a court order in the case of law enforcement.

Anyone that believes fingerprints readers are safe is a dummy or watches to many movies. So technically its impossible that Apple has developed one that is secure. This is the reason why phones don´t have this. Its pure marketing, but not secure. Getting someones fingerprint is more easier than trying to guess his password.

Fingerprint readers are a security measure to be used in combination with something else. Usually a password. This means that you scan the finger, then input your password. Usually this is how it works in computers, and the reason is that you have 2 security methods, something you have and something you know. So one of it alone is useless.

In some places that are already secure, like a sever room in a datacenter, etc, you can use fingerprint just to identify the person logging in or as an easy fast replacement to keypads. Bu in public devices, like a phone that an be stolen and where you have no control on how is using it, its another story. Getting someones fingerprint is easy, just handle them a glass, and stealing their phone should not be hard either.

A fingerprint adds allot of security to a computer or any systems but it has never be relied on its own. It needs to be used in combination with a pin or password or unless its in a safe environment with medium level securities.

This is why you will never see this as lock systems, like in a car, or any device that moves and can be stolen or lost.

As consolation, the swipe unlock pattern feature in most phones is not secure either, as anyone filming your phone can replicate it. With all the security cameras on public and private places this would be even easier than actually getting your fingerprint.

My only two issues with Apple's fingerprint scanner are their touting it as some super advanced scanner and that people can set it up to make purchases with the fingerprint. Otherwise, for most people, it's sufficient security, about on par with the latches on gates. It keeps out the casual intruder.

"Much of our digital lives are stored on our iPhones, and everyone should use a passcode to help protect this important information and their privacy. Unfortunately, not everyone does; more than 50 percent of smartphone users don't use a passcode. Your fingerprint is one of the best passcodes in the world. It's always with you, and no two are exactly alike. Touch ID is a seamless way to use your fingerprint as a passcode. With just a touch of the Home button of your iPhone 5s, the Touch ID sensor quickly reads your fingerprint and automatically unlocks your phone. You can even use it to authorize purchases from the iTunes Store, App Store, and iBooks Store."

What is with the diatribe? This was previously done by MythBusters. They bypassed many security systems in one of the episodes and one method they used has nearly the same functionality as the one presented, although they were much funnier.

Beating the system when one has access to the fingers should be fairly easy. The trouble starts when someone uses a thumb on the left hand and normally operates the phone with their right hand. Choose a different finger, problem is now just a tad more difficult.

I was voted down some days ago when I said that TouchID just scans a certain pattern on a material with certain physical properties and when you can replicate that pattern on a material with similar properties you can fake it.

This is self-evident. A fingerprint is not a magic property, it's just a certain pattern with certain properties and it's totally possible to fake these.

This does not mean it is worthless. It's much more convenient than a password or a PIN code and it is much more secure than no password or PIN code. For most everyday purposes TouchID is a great thing to have. A thief won't go through any lengths to get at your fingerprints and fake your finger but if your phone is not secured in any way he may do some harm.

But anyway, this is very bad PR for Apple and I think TouchID was a bad idea. The fingerprint sensor was a low-hanging fruit for Apple to offer something new and cool, but Apple should have resisted this temptation. No fingerprint sensor can be in any way really secure. It's convenient, yes. Apple should have been much more up-front about this.

By the way, the Android option of drawing a pattern through some numbers is very much the same: On most well-used phones it's fairly easy to see the pattern by the smears on the display. It's more convenient than secure and probably less convenient and less secure than TouchID.

If you want security you need a password. Apple would have been wise to allow two-factor logins (fingerprint AND password or PIN code) from the start as an option. This would have allowed them to answer this now with some clear words about security, along with the recommended settings to implement it on an iPhone.

But Apple isn't wise anymore. Not using TouchID to allow two-factor security on the iPhone was idiotic and they deserve any ridicule they will get now. Doing this would have been easy and would have propelled them far above any other system for many purposes. Not doing this exposes them to everything they deserve.

Really, looking at Apple right now is just sad. So much potential, so many epic fails.

[Edit: I would really like if people downvoting this would actually tell me where this is wrong. Really, I want to know where I'm wrong. Tell me. The fucking pattern on your finger is not a part of your soul. Your skin is a fairly simple multi-layered material with a fairly simple pattern on it. It's easy to replicate and any sophistication in a sensor has really tight limits to work with. This was to be expected and if you have a scientific bone in your body you know it.]

For Apple this is a convenience feature. For people who want a passcode, but could not be bothered to type it in. Make it fast and reasonably reliable and you have a great selling point.

The fact that Apple does not even support requiring both fingerprint and passcode should be a very clear indication that maximizing security has not been a design goal.

That's exactly what it is. It's not intended to protect state secrets, it's to prevent your jealous partner from reading your texts or your kids from spending your money on in-game purchases - without having to type a passcode all the time.

Actually, this is almost useless if you want "to prevent your jealous partner from reading your texts".

All she/he has to do is to wait until you are sleeping, then use your finger to unlock it.

This is however a very convenient feature and I would use it if I had an iPhone, but users should be aware or its limitations.

Having to type a passcode annoys me greatly, so I only enabled it for the phone startup. So this would be an improvement for the security of my phone, even though it's not bulletproof.